EP3423985B1 - Techniques for protecting security features of integrated circuits - Google Patents

Techniques for protecting security features of integrated circuits Download PDF

Info

Publication number
EP3423985B1
EP3423985B1 EP17760462.6A EP17760462A EP3423985B1 EP 3423985 B1 EP3423985 B1 EP 3423985B1 EP 17760462 A EP17760462 A EP 17760462A EP 3423985 B1 EP3423985 B1 EP 3423985B1
Authority
EP
European Patent Office
Prior art keywords
circuit
time programmable
security feature
integrated circuit
control circuit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP17760462.6A
Other languages
German (de)
French (fr)
Other versions
EP3423985A4 (en
EP3423985A1 (en
Inventor
Bruce Pedersen
Ting LU
Brian Wong
Alok DOSHI
Yun Sum WONG
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Altera Corp
Original Assignee
Altera Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Altera Corp filed Critical Altera Corp
Publication of EP3423985A1 publication Critical patent/EP3423985A1/en
Publication of EP3423985A4 publication Critical patent/EP3423985A4/en
Application granted granted Critical
Publication of EP3423985B1 publication Critical patent/EP3423985B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0679Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2206/00Indexing scheme related to dedicated interfaces for computers
    • G06F2206/10Indexing scheme related to storage interfaces for computers, indexing schema related to group G06F3/06
    • G06F2206/1014One time programmable [OTP] memory, e.g. PROM, WORM

Definitions

  • the present disclosure relates to electronic circuits and systems, and more particularly, to circuits and methods for protecting security features of integrated circuits.
  • a field programmable gate array is an integrated circuit that has programmable logic circuits and programmable routing circuits.
  • the programmable logic and routing can be configured with a configuration bitstream that is loaded into the FPGA from an external source.
  • An FPGA may also have a test mode that is used by the manufacturer of the FPGA to check that the FPGA is fully-functional before being sold, and also used to perform failure analysis on an FPGA returned from the field. Test mode often provides greater access and control over elements in the FPGA than the access and control provided to an ordinary user through the bitstream.
  • An FPGA may contain a fuse that can be used to permanently disable test mode access or to prevent the programming or read-back of encryption keys.
  • US 2014/0137271 A1 relates to data security and access tracking in a memory deivce.
  • the memory device includes but is not limited to a substrate, a non-volatile memory array integrated on the substrate, and data security logic integrated with the non-volatile memory array on the substrate.
  • the data security logic is operable to perform at least one data security function associated with the non-volatile memory array.
  • US 2010/0174848 A1 dislcoses a data processing apparatus which comprises a monolithic integrated circuit having a data processor, a non-volatile memory storing at least one security code, and at least one interface at the boundary of the integrated circuit via which communication with the data processor can occur. Processing by the data processor of data received at the at least one interface is controlled by the at least one security code.
  • GB 2331821 A discloses an electronic sealed envelope. Restricted data is stored on e.g. a smart card having a memory and a processor. Preferably the restricted data is stored in groups.
  • the smart card may store a record of users authorized to access certain groups of restricted data.
  • An owner of the smart card must authorize registration of new users by entering their password, the new users are then given their own passwords in order to retrieve certain groups of restricted data.
  • the smart card irretrievably modifies a codeword of the restricted data group, each codeword corresponding to an authorized user. The owner of the smart card is then able to determine if the restricted data has been accessed by checking for modified codewords.
  • US 2011/0141791 A1 discloses a system and a method to control a one-time programmable memory.
  • a device includes the one-time-programmable memory including multiple random accessible input/output pins. Each random accessible I/O pin corresponds to a unique memory address in the one-time-programmable memory.
  • the device also includes a multiplexing circuit with multiple inputs. Each of the multiple inputs is coupled to one of the multiple random accessible I/O pins.
  • An output of the multiplexing circuit has a bit width that is less than the number of the multiple random accessible I/O pins.
  • US 2015/0082420 A1 relates to security certificates for system-on-chip (SoC) security.
  • SoC includes multiple hardware modules that are implemented on a substrate.
  • the hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features.
  • a validation module implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features.
  • Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules.
  • the security certificate additionally includes a certificate signature signed by a secure key.
  • an integrated circuit includes a control circuit, a one-time programmable circuit, and a security feature.
  • the control circuit determines if the one-time programmable circuit is programmed in response to a request by a user of the integrated circuit to access the security feature.
  • the control circuit generates a signal to indicate to the user of the integrated circuit that the security feature has been previously accessed if the control circuit determines that the one-time programmable circuit has been programmed to indicate a previous access to the security feature.
  • the control circuit causes the one-time programmable circuit to be programmed in response to the request if the control circuit determines that the one-time programmable circuit has not been programmed.
  • Field programmable gate array (FPGA) integrated circuits are often used in critical commercial, industrial, and military infrastructure; and therefore, they may be subject to attack by hostile adversaries.
  • An attack may be intended to damage an FPGA device, to cause the device to fail prematurely due to life-time stress conditions, or to make a deployed device more susceptible to future attacks.
  • test mode of an FPGA device could be used to deliberately over-stress certain transistors in the FPGA device, making the transistors susceptible to premature negative bias temperature instability (NBTI) effects. These effects could be used to imprint static random access memory (RAM) or registers in the FPGA device, causing them to power-up to a known state that is favorable to an attacker.
  • NBTI premature negative bias temperature instability
  • Another form of an attack involves intercepting secrets that are stored in the FPGA, such as encryption keys. These secrets stored in the FPGA device may be protected by unique values in the FPGA device, such as unique values created by physically unclonable functions (PUPs). These values may need to be known by the end user of the FPGA before deploying the device, but the end user would want to prevent an attacker from extracting the secret before or after the FPGA is deployed, because an attacker might intercept the FPGA anywhere along its supply chain. Other forms of tampering may have less malicious motivation, but still need to be protected against. For example, the reselling of previously used (and thus partially stressed and worn-out) FPGA devices as new and fresh FPGA devices would also have the effect of causing the FPGA devices to unexpectedly fail prematurely in their second application.
  • PUPs physically unclonable functions
  • a security feature of an integrated circuit is protected by a one-time programmable circuit.
  • a control circuit may allow a user access to the security feature of the IC based on the state of the one-time programmable circuit.
  • the control circuit may prevent a user from accessing the security feature of the IC based on the state of the one-time programmable circuit.
  • the security feature may be, for example, an encryption key, a physically unclonable function (PUF), a secure storage area of the IC, a test mode of the IC, a configuration mode of an FPGA, or a user mode of an IC.
  • the security feature may also be referred to as a secure feature.
  • the control circuit may allow a user to access the security feature of the IC only until the next power on reset of the IC that occurs after the one-time programmable circuit has been programmed by setting a security feature access register. After the next power on reset of the IC, the IC clears the security feature access register to a cleared state. In response to the security feature access register being in a cleared state, the control circuit prevents a user from accessing the security feature of the IC.
  • the security feature access register may, for example, remain in a cleared state indefinitely, or the security feature access register may be set again by another one-time programmable circuit.
  • Figures 1-4 illustrate some examples of these embodiments.
  • FIG. 1 illustrates an example of a security feature access system 100, according to an embodiment.
  • the security feature access system 100 of Figure ( FIG.) 1 includes a control circuit 101, a security feature access register circuit 102, a one-time programmable circuit 103, and a security feature 104.
  • Security feature access system 100 including circuits 101-104, may be located entirely within an integrated circuit (IC).
  • the IC may be, for example, an FPGA, a programmable logic device (PLD), a programmable logic array (PLA), a processor, a memory device, an analog device, or any other type of IC.
  • Control circuit 101 may be, for example, a state machine, a processor circuit, a portion of a processor circuit, programmable logic circuits programmed to function as a controller, or another type of control circuit.
  • System 100 supports two-way communication between control circuit 101 and each of security feature access register 102, one-time programmable circuit 103, and security feature 104, as shown by arrows in FIG. 1 .
  • System 100 may also support two-way communication between one-time programmable circuit 103 and security feature 104 as shown in FIG. 1 .
  • Security feature access register 102 is a volatile storage circuit that may include, for example, one or more flip-flop circuits.
  • Security feature 104 may be, for example, a secure storage area of an IC, a test mode of an IC, a configuration mode of a programmable IC, a user mode of an IC, the programmable logic circuits of a programmable logic IC, an encryption key, a physically unclonable function (PUF), to name a few examples.
  • a PUF is on-die circuitry that uses non-reproducible manufacturing variations of the IC die to produce a function that is a unique and unclonable function in every IC die.
  • a PUF can be used to generate a challenge-response pair. The input to a PUF is the challenge, and the output of the PUF is the response.
  • the challenge and the response may each be, for example, hundreds or thousands of bits.
  • PUPs can be used to protect encryption keys.
  • a secret PUF can be used to hide an encryption key, for example, by XORing the encryption key with the PUF response to generate an output key.
  • the original encryption key can be extracted from the output key by XORing the output key with the PUF response.
  • a PUF can also be used to generate an encryption key.
  • Security feature 104 may be any type of PUF.
  • PUFs Two examples of PUFs are an arbiter PUF and a static-RAM PUF.
  • An arbiter PUF is a PUF that uses the difference between the delays of two different signal paths in an IC die that is caused by manufacturing variations of an individual IC die.
  • a static-RAM PUF is a PUF that is based on individual memory cells of an SRAM circuit in an IC powering up to random states.
  • a PUF may be a soft PUF or a hard PUF.
  • Hard PUFs are implemented directly into the silicon of an IC.
  • Soft PUFs are implemented by configuring programmable resources in an IC, such as lookup tables, registers, and memories.
  • Both static RAM and arbiter PUFs can be implemented as hard PUFs or as soft PUFs using programmable resources in a programmable IC.
  • security feature 104 may be, for example, the combination of a soft PUF implemented by programmable resources in a programmable IC and a configuration mode of the programmable IC.
  • the combination of the soft PUF and the configuration mode as the security feature 104 protects against attacks on the soft PUF.
  • the state of one-time programmable circuit 103 indicates if the IC has ever been configured before a user first received the IC. If the one-time programmable circuit 103 indicates that the IC has been configured before by another user, it is possible that an attacker may have intercepted the IC, programmed the soft PUF into the programmable resources, and read the PUF response.
  • the one-time programmable circuit 103 indicates that the IC has not been configured before by another user, the user can be confident that the user has gained sole knowledge of the PUF response. The user can then use the PUF response to create or protect an encryption key that prevents future configurations of the IC by anyone who does not correctly enter the encryption key. For example, a user may program the one-time programmable circuit 103 to cause the IC to require the correct entry of a PUF protected or created encryption key before the IC enters configuration mode and user mode. This embodiment prevents an attacker from subsequently gaining access to the PUF response.
  • One-time programmable circuit 103 may include, for example, one or more non-volatile, one-time programmable fuses (also referred to herein simply as fuses) and/or one or more non-volatile, one-time programmable antifuses (also referred to herein simply as antifuses).
  • Each one-time programmable fuse has a conductive path that conducts current before the fuse is blown. After the fuse is blown (i.e., programmed), the conductive path is broken, and the fuse conducts little or no current through the previously conductive path. Each fuse can be programmed/blown only one time.
  • a one-time programmable fuse may include a resistor that burns out when an over current, over load, or mismatched load connect event occurs.
  • Each one-time programmable antifuse initially has a high resistance path that conducts little or no current until the antifuse is programmed. After the antifuse is programmed, the antifuse has a low resistance conductive path that conducts significantly more current. Each antifuse can be programmed only one time.
  • FIG. 2 is a flow chart that shows examples of operations that may be performed to clear a security feature access register, according to an embodiment.
  • the security feature access register 102 is cleared after a power on reset operation of the integrated circuit (IC) that contains the security feature access register 102 and the security feature 104.
  • the IC performs a power on reset operation. A power on reset operation may occur each time the IC receives power (i.e., is powered up) after being powered off.
  • control circuit 101 clears the security feature access register 102.
  • Control circuit 101 may clear the security feature access register 102 by causing the bit (or bits) stored in the security feature access register 102 to have a predefined clear value.
  • the predefined clear value is a known value that may be, e.g., a logic low state, a logic high state, or a predefined set of bit values if register 102 stores multiple bits.
  • FIG. 3 is a flow chart that illustrates examples of operations that may be performed to determine if an IC will allow a user to access a security feature, according to an embodiment.
  • one-time programmable circuit 103 includes a one-time programmable disable circuit and a one-time programmable enable circuit.
  • the one-time programmable disable and enable circuits of FIG. 3 can be fuses, antifuses, or any combination of one or more fuses and one or more antifuses.
  • control circuit 101 allows a user of the IC to access the security feature 104 only if the one-time programmable disable circuit is not programmed, and the one-time programmable enable circuit is programmed.
  • control circuit 101 may optionally cause the one-time programmable enable circuit to be programmed automatically.
  • the one-time programmable enable circuit may be used as a future indicator that the security feature 104 has been previously accessed. Granting access to security feature 104 may include setting the security feature access register 102 to a predefined access value, which will allow a user to access security feature 104 at least until the next power on reset event in the IC.
  • control circuit 101 receives a request to access the security feature 104.
  • the request may be generated in response to input from a user of the IC requesting access to security feature 104.
  • control circuit 101 determines if the bit (or bits) stored in the security feature access register 102 is set to the access value.
  • the access value may be, e.g., the opposite logic state as the predefined clear value. If the bit (or bits) stored in the security feature access register 102 is set to the access value at operation 302, control circuit 101 grants the user access to security feature 104 in operation 308 as shown in FIG. 3 .
  • control circuit 101 determines if the one-time programmable disable circuit is programmed. If the one-time programmable disable circuit is programmed at operation 303, control circuit 101 asserts a failure signal in operation 309, and control circuit 101 prevents a user of the IC from accessing the security feature 104.
  • a user interface may provide a message to the user in response to the failure signal generated in operation 309 to indicate that a failure has occurred and/or that the security feature 104 cannot be accessed.
  • the control circuit 101 may cause the one-time programmable disable circuit to be programmed to prevent a user from accessing the security feature 104, for example, in response to user input or in response to a user accessing the security feature 104.
  • a one-time programmable circuit may prevent a user from accessing a security feature, for example, by physically blocking signal access to the security feature when the one-time programmable circuit is programmed.
  • Signal access to security feature 104 may, for example, be routed through one-time programmable circuit 103, e.g., via a two-way communication path between circuits 103 and 104.
  • the output of the one-time programmable disable circuit may, for example, cause one or more logic gate circuits to block any signal access to security feature 104.
  • control circuit 101 may prevent access to security feature 104 in response to detecting that the one-time programmable disable circuit is programmed. After the one-time programmable disable circuit is programmed, control circuit 101 blocks all accesses by a user of the IC to security feature 104.
  • control circuit 101 proceeds to operation 304.
  • control circuit 101 determines if the one-time programmable enable circuit is programmed. If the one-time programmable enable circuit is programmed at operation 304, control circuit 101 grants the user access to security feature 104 in operation 308 as shown in FIG. 3 . Control circuit 101 may also optionally indicate to the user that the security feature 104 has been previously accessed. If the one-time programmable enable circuit is not programmed at operation 304, control circuit 101 causes the one-time programmable enable circuit to be programmed in operation 305.
  • control circuit 101 again determines if the one-time programmable enable circuit is programmed. If control circuit 101 determines that the one-time programmable enable circuit is not programmed at operation 306, control circuit 101 asserts the failure signal in operation 309 as shown in FIG. 3 and prevents the user from accessing the security feature 104. If control circuit 101 determines that the one-time programmable enable circuit is programmed at operation 306, control circuit 101 sets the security feature access register 102 to the access value in operation 307. Control circuit 101 then grants the user access to the security feature 104 in operation 308 as shown in FIG. 3 . Control circuit 101 allows the user to access the security feature 104 additional times by implementing additional iterations of operations 301-302 and 308 until the next power on reset of the IC. After the next power on reset of the IC, the security feature access register 102 is cleared to the clear value as disclosed herein with respect to FIG. 2 .
  • security in an IC is improved by disabling access to one or more security features of the IC, such as test mode, configuration of a programmable IC, user mode, or access to certain security areas, such as encryption keys or the output of hard or soft PUF circuitry, before or after one or more non-volatile, one-time programmable circuits are programmed.
  • Control circuit 101 may detect if the one or more one-time programmable circuits have been previously programmed to deny or grant access to the security feature.
  • ICs integrated circuits
  • manufacturers are unwilling to set this test disable bit for all customers, because doing so would prevent the failure analysis of any IC returned from the field.
  • the manufacturer selectively sets the test disable bit for some customers, but sold some ICs without the test disable bit being set, users who received an IC that did not have the test disable bit set would be able to enter test mode, set the test disable bit, and subsequently reintroduce the IC into the supply chain. Users who care about the security of their ICs would not be able to distinguish these tampered ICs from ICs that were not tampered with. Manufacturers may have similar problems in controlling access to other security features of their ICs.
  • control circuit 101 of FIG. 1 prevents undetected access to a test mode of an IC.
  • access to the test mode by a user of the IC is controlled based on the states of two one-time programmable enable circuits and two one-time programmable disable circuits.
  • This embodiment may, for example, be implemented by two iterations of the operations shown in FIG. 3 .
  • access to the features of the test mode by a user of the IC is prevented until the first one-time programmable enable circuit is programmed, e.g., in the first iteration of operation 305.
  • Access to the test mode can be temporarily disabled by programming the first one-time programmable disable circuit.
  • Control circuit 101 prevents the user from accessing test mode if the first or second one-time programmable disable circuit is programmed, as disclosed with respect to operations 303 and 309. Access to the test mode of the IC by a user can then be re-enabled by programming the second one-time programmable enable circuit, e.g., in the second iteration of operation 305 after a power on reset of the IC. Access to the test mode of the IC by a user can then be permanently prevented by programming the second one-time programmable disable circuit. If the second one-time programmable enable circuit is not programmed when the second one-time programmable disable circuit is programmed, the second one-time programmable enable circuit cannot be programmed after the second one-time programmable disable circuit is programmed.
  • the original states of the one-time programmable circuits are made accessible to designs implemented by the IC (e.g., designs programmed into an FPGA) and to users of the IC (e.g., through JTAG ports).
  • the manufacturer responsible for functionality tests of the IC is then able to detect if an IC has been intercepted and if the test mode of the IC has been accessed anywhere along the prior supply chain by checking if the first one-time programmable enable circuit was previously programmed by someone other than the functionality tester. The manufacturer may then respond appropriately (e.g., by marking or destroying the IC).
  • the manufacturer programs the first one-time programmable disable circuit and reintroduces the IC into the supply or sales chain.
  • the user or the user's design that is programmed into the FPGA
  • the user can check that the first one-time programmable disable circuit is programmed, and that the second one-time programmable enable circuit is not programmed. If the second one-time programmable enable circuit has been programmed, the user is then able to detect that the test mode of the IC has been accessed somewhere along the supply chain after having left the functionality testing facility of the manufacturer. The user can then respond appropriately (e.g., return the device to the manufacturer). If the user so chooses, and does not want the ability to return the IC to the manufacturer for possible future failure analysis, the user can program the second one-time programmable disable circuit to permanently disable the test mode of the IC.
  • separate PUF access enable and disable one-time programmable circuits may allow access to a response generated by a PUF in an IC in response to a challenge input.
  • the PUF access enable and disable one-time programmable circuits control secure access to an encryption key generated from a PUF response.
  • separate configuration enable and disable one-time programmable circuits for a programmable IC may allow access to user configuration of the IC. The configuration enable/disable one-time programmable circuits ensure that a user of the programmable IC is receiving a new IC, as opposed to a "grey market" IC that had been previously used.
  • FIG. 4 is a flow chart that illustrates examples of operations that may be performed to determine if an IC will allow a user to access a security feature, according to another embodiment.
  • one-time programmable circuit 103 can include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • granting access to security feature 104 includes setting the security feature access register 102 to a predefined access value to allow a user to access security feature 104 at least until the next power on reset event in the IC.
  • the one-time programmable circuit 103 being programmed is an indicator that the security feature 104 has been previously accessed.
  • control circuit 101 receives a request to access the security feature 104.
  • the request may be generated in response to input from a user requesting access to security feature 104.
  • control circuit 101 determines if the bit (or bits) stored in the security feature access register 102 is set to the access value. If the bit (or bits) stored in the security feature access register 102 is set to the access value at operation 402, control circuit 101 grants the user access to security feature 104 in operation 407 as shown in FIG. 4 .
  • control circuit 101 determines if the one-time programmable circuit 103 is programmed. If the one-time programmable circuit 103 is programmed at operation 403, control circuit 101 asserts a failure signal in operation 408 and prevents the user from accessing the security feature 104.
  • a user interface may provide a message to the user in response to the failure signal to indicate that a failure has occurred and/or that the security feature 104 cannot be accessed.
  • Control circuit 101 may cause the one-time programmable circuit 103 to be programmed to prevent a user from accessing the security feature 104 after the next power on reset of the IC, for example, in response to a user accessing the security feature 104.
  • control circuit 101 proceeds to operation 404.
  • control circuit 101 causes the one-time programmable circuit 103 to be programmed.
  • control circuit 101 again determines if the one-time programmable circuit 103 is programmed. If control circuit 101 determines that the one-time programmable circuit 103 is not programmed at operation 405, control circuit 101 asserts the failure signal in operation 408 as shown in FIG. 4 and prevents the user from accessing the security feature 104.
  • control circuit 101 determines that the one-time programmable circuit 103 is programmed at operation 405, control circuit 101 sets the security feature access register 102 to the access value in operation 406. Control circuit 101 then grants the user access to the security feature 104 in operation 407 as shown in FIG. 4 . Control circuit 101 grants the user additional accesses to the security feature 104 by implementing additional iterations of operations 401-402 and 407 until the next power on reset of the IC. After the next power on reset of the IC, the security feature access register 102 is cleared to the clear value as disclosed herein with respect to FIG. 2 , and then the control circuit 101 does not allow any user of the IC any additional accesses to the security feature 104.
  • FIG. 5 illustrates an example of a security feature access system 500, according to another embodiment.
  • the security feature access system 500 of FIG. 5 includes a configuration control circuit 501, a one-time programmable circuit 502, and programmable logic and routing circuits 503.
  • Security feature access system 500 including circuits 501-503, may be located entirely within a programmable integrated circuit (IC).
  • the IC may be, for example, an FPGA, a PLD, a PLA, or another type of programmable IC.
  • Programmable logic and routing circuits 503 are programmable resources of a programmable IC.
  • Configuration control circuit 501 may be, for example, a state machine, a processor circuit, a portion of a processor circuit, or another type of control circuit.
  • System 500 supports two-way communication between control circuit 501 and each of one-time programmable circuit 502 and programmable logic and routing circuits 503, as shown by arrows in FIG. 5 .
  • One-time programmable circuit 502 can include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • the programmable logic and routing circuits 503 may include an array of programmable logic circuits and programmable routing circuits (e.g., multiplexers) that controls a network of routing conductors to interconnect the programmable logic circuits.
  • the security feature protected by the one-time programmable circuit 502 is a configuration mode of the programmable IC, and thus access to the programmable logic and programmable routing circuits 503 of the IC.
  • One-time programmable circuit 502 is used to control access to the configuration mode of the programmable IC.
  • programmable logic and programmable routing circuits 503 in the programmable IC are configured with a configuration bitstream that is loaded into the IC from an external source.
  • the programmable IC is configured with the configuration bitstream during the configuration mode to implement a user design for the IC.
  • Configuration control circuit 501 controls access to the configuration mode of the IC.
  • the configuration control circuit 501 also controls user access to the programmable logic and programmable routing circuits 503.
  • Configuration control circuit 501 may allow a user to cause the programmable IC to enter configuration mode to configure the programmable IC if the one-time programmable circuit 502 is programmed.
  • the control circuit 501 may prevent the programmable IC from entering configuration mode if the one-time programmable circuit 502 is not programmed.
  • Figures 6-8 illustrate operations that may be performed using system 500 according to various embodiments.
  • FIG. 6 is a flow chart that illustrates examples of operations for determining if a programmable integrated circuit (IC) has been previously configured, according to an embodiment.
  • FIG. 6 shows the supply chain flow when a user first receives an ostensibly new programmable IC from a distributer.
  • the operations of FIG. 6 allow a user to determine if the programmable resources of the programmable IC have ever been configured before by checking the state of the one-time programmable circuit 502.
  • the programmable resources of the programmable IC may be configured in a configuration mode and then subsequently utilized in a user mode. If the programmable IC has already been configured, the user may return the IC to the manufacturer and mark the IC as used, or discard the IC.
  • the user may optionally program the one-time programmable circuit 502 and proceed with configuring the IC.
  • the one-time programmable circuit 502 is not programmed when the manufacturer powers up the IC into a test mode.
  • the programmable IC as discussed with respect to FIGS. 6-8 may be, for example, an FPGA, a PLD, a PLA, or even an application specific integrated circuit (ASIC) that has some programmable features.
  • the security feature may, as an example, include the combination of a soft PUF implemented by the programmable resources and a configuration or user mode of the programmable IC.
  • the combination of the soft PUF and the configuration/user mode as the security feature protects against attacks on the soft PUF, as described above.
  • the state of one-time programmable circuit 502 indicates if the IC has ever been configured before a user first receives the IC.
  • the user After a user receives a programmable IC from a distributer, the user powers up the programmable IC.
  • operation 601 an attempt is made to access configuration mode or user mode after the programmable IC has powered up, as shown in FIG. 6 .
  • the attempt to access the configuration mode or user mode in operation 601 may occur in response to user input, or the programmable IC may automatically attempt to enter configuration mode or user mode after the IC powers up.
  • the configuration control circuit 501 determines if the one-time programmable circuit 502 (e.g., that has a fuse and/or an antifuse) is programmed in response to the attempt in operation 601.
  • the control circuit 501 may assert an error signal in operation 603.
  • a user interface may indicate to the user that the programmable IC has already been configured in response to the error signal that is asserted in operation 603. The user may then optionally decide to return the programmable IC, discard the programmable IC, or continue with configuring the programmable IC.
  • control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 602, the user of the IC may optionally decide to program circuit 502 in operation 604. If the user decides to program circuit 502 after operation 602, the user may enter input into a user interface, and then in response to the user input, a control signal is sent to the control circuit 501. In response to receiving this control signal, control circuit 501 causes the one-time programmable circuit 502 to be programmed (e.g., blow a fuse) in operation 604. Control circuit 501 then proceeds to operation 605. In operation 605, control circuit 501 asserts a signal to indicate that the user may add the programmable IC to the user's inventory. The user interface may display a message to the user in response to the signal asserted in operation 605. The message may indicate that the user can add the programmable IC to the user's inventory.
  • control circuit 501 asserts a signal to indicate that the user may add the programmable IC to the user's inventory.
  • Figure 7 is a flow chart that illustrates operations that determine if a programmable integrated circuit (IC) has been previously programmed, according to an embodiment.
  • Control circuit 501 checks if the programmable resources of the programmable IC have ever been previously configured by a user whenever an attempt is made to configure the programmable IC.
  • the programmable IC cannot be configured until the one-time programmable circuit 502 is programmed. Therefore, the one-time programmable circuit 502 being in a programmed state indicates that the programmable IC has been previously configured.
  • the operations of FIG. 7 may occur after operation 604 of FIG. 6 .
  • one-time programmable circuit 502 may include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • the programmable IC receives a request from the user to configure the programmable IC and/or to enter the configuration mode.
  • the request is routed to the configuration control circuit 501.
  • the configuration control circuit 501 determines if the one-time programmable circuit 502 is programmed in response to receiving the request in operation 701. If the configuration control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 702, then the control circuit 501 asserts an error signal in operation 704.
  • the error signal generated in operation 704 indicates that circuit 502 is not programmed.
  • a user interface may indicate to the user that circuit 502 is not programmed and that circuit 502 must be programmed in order to proceed to the configuration mode of the IC.
  • the user interface may display to the user an option to program circuit 502 in response to the error signal generated in operation 704. If the user chooses the option to program circuit 502, control circuit 501 causes circuit 502 to be programmed, and then circuit 501 repeats operation 702. If the user does not choose the option to program circuit 502, control circuit 501 may prevent the programmable IC from entering configuration mode and user mode.
  • the programmable IC can only be configured with a user's design in the configuration mode. Therefore, preventing the programmable IC from entering the configuration mode prevents a user from configuring the programmable IC.
  • control circuit 501 may automatically cause one-time programmable circuit 502 to be programmed in response to determining that circuit 502 is not programmed in operation 702. Control circuit 501 then repeats operation 702 to confirm that one-time programmable circuit 502 is programmed.
  • control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 702, then the control circuit 501 proceeds to operation 703. In operation 703, control circuit 501 allows the programmable IC to enter configuration mode. During configuration mode, the programmable IC is configured to implement the user's design. Configuration control circuit 501 may also control the configuration of the programmable IC during or after operation 703.
  • the programmable IC can enter a user mode during which the user's design that has been configured into the IC is used for its intended purpose.
  • the IC does not allow the user to enter user mode until the IC has been configured with a user design in the configuration mode.
  • the state of the one-time programmable circuit 502 also indicates whether the IC has ever entered the user mode.
  • Figure 8 is a flow chart that illustrates examples of operations that determine if a programmable integrated circuit (IC) has been previously configured, according to an embodiment.
  • Control circuit 501 checks if the one-time programmable circuit 502 is programmed when an attempt is made to configure the programmable IC. If the one-time programmable circuit 502 is not programmed, then control circuit 501 automatically programs circuit 502. The programmable IC cannot be configured until the one-time programmable circuit 502 is programmed. Therefore, the one-time programmable circuit 502 being in a programmed state indicates that the programmable IC has been previously configured.
  • the operations of FIG. 8 may occur after operation 604 of FIG. 6 .
  • one-time programmable circuit 502 may include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • the programmable IC receives a request from the user to configure the programmable IC in operation 801.
  • the request is routed to the configuration control circuit 501.
  • the configuration control circuit 501 determines if the one-time programmable circuit 502 is programmed in response to receiving the request in operation 801. If the configuration control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 802, then the control circuit 501 allows the programmable IC to enter configuration mode in operation 805.
  • Configuration control circuit 501 may also control the configuration of the programmable IC in configuration mode during or after operation 805.
  • control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 802, then the control circuit 501 proceeds to operation 803. In operation 803, control circuit 501 causes the one-time programmable circuit 502 to be programmed. The control circuit 501 then proceeds to operation 804. In operation 804, the control circuit 501 determines if the one-time programmable circuit 502 is programmed. If the control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 804, then the control circuit 501 allows the programmable IC to enter configuration mode in operation 805.
  • control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 804, then the control circuit 501 asserts an error signal in operation 806.
  • a user interface may indicate to the user that an error has occurred in attempting to program the one-time programmable circuit 502. The control circuit 501 may then prevent the programmable IC from entering configuration mode and user mode.
  • PAL programmable array logic
  • PLA programmable logic arrays
  • FPLA field programmable logic arrays
  • EPLD electrically programmable logic devices
  • EEPLD electrically erasable programmable logic devices
  • LCDA logic cell arrays
  • FPGA field programmable gate arrays
  • ASSP application specific standard products
  • ASIC application specific integrated circuits
  • DSP digital signal processors
  • GPU graphics processing units
  • the integrated circuits described herein may be part of a data processing system that includes one or more of the following components; a processor; memory; input/output circuitry; and peripheral devices.
  • the integrated circuits can be used in a wide variety of applications, such as computer networking, data networking, instrumentation, video processing, digital signal processing, or any suitable other application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Human Computer Interaction (AREA)
  • Semiconductor Integrated Circuits (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)
  • Storage Device Security (AREA)
  • Logic Circuits (AREA)

Description

    FIELD OF THE DISCLOSURE
  • The present disclosure relates to electronic circuits and systems, and more particularly, to circuits and methods for protecting security features of integrated circuits.
    • BACKGROUND
  • A field programmable gate array (FPGA) is an integrated circuit that has programmable logic circuits and programmable routing circuits. The programmable logic and routing can be configured with a configuration bitstream that is loaded into the FPGA from an external source. An FPGA may also have a test mode that is used by the manufacturer of the FPGA to check that the FPGA is fully-functional before being sold, and also used to perform failure analysis on an FPGA returned from the field. Test mode often provides greater access and control over elements in the FPGA than the access and control provided to an ordinary user through the bitstream. An FPGA may contain a fuse that can be used to permanently disable test mode access or to prevent the programming or read-back of encryption keys.
  • US 2014/0137271 A1 relates to data security and access tracking in a memory deivce. The memory device includes but is not limited to a substrate, a non-volatile memory array integrated on the substrate, and data security logic integrated with the non-volatile memory array on the substrate. The data security logic is operable to perform at least one data security function associated with the non-volatile memory array.
  • US 2010/0174848 A1 dislcoses a data processing apparatus which comprises a monolithic integrated circuit having a data processor, a non-volatile memory storing at least one security code, and at least one interface at the boundary of the integrated circuit via which communication with the data processor can occur. Processing by the data processor of data received at the at least one interface is controlled by the at least one security code.
  • GB 2331821 A discloses an electronic sealed envelope. Restricted data is stored on e.g. a smart card having a memory and a processor. Preferably the restricted data is stored in groups. The smart card may store a record of users authorized to access certain groups of restricted data. An owner of the smart card must authorize registration of new users by entering their password, the new users are then given their own passwords in order to retrieve certain groups of restricted data. When a registered user uses his password to retrieve restricted data the smart card irretrievably modifies a codeword of the restricted data group, each codeword corresponding to an authorized user. The owner of the smart card is then able to determine if the restricted data has been accessed by checking for modified codewords.
  • US 2011/0141791 A1 discloses a system and a method to control a one-time programmable memory. A device includes the one-time-programmable memory including multiple random accessible input/output pins. Each random accessible I/O pin corresponds to a unique memory address in the one-time-programmable memory. The device also includes a multiplexing circuit with multiple inputs. Each of the multiple inputs is coupled to one of the multiple random accessible I/O pins. An output of the multiplexing circuit has a bit width that is less than the number of the multiple random accessible I/O pins.
  • US 2015/0082420 A1 relates to security certificates for system-on-chip (SoC) security. The SoC includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features. Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules. The security certificate additionally includes a certificate signature signed by a secure key.
    • BRIEF SUMMARY
  • The object of the present application is solved by the independent claims. Advantageous embodiments are described by the dependent claims. According to some embodiments, an integrated circuit includes a control circuit, a one-time programmable circuit, and a security feature. The control circuit determines if the one-time programmable circuit is programmed in response to a request by a user of the integrated circuit to access the security feature. The control circuit generates a signal to indicate to the user of the integrated circuit that the security feature has been previously accessed if the control circuit determines that the one-time programmable circuit has been programmed to indicate a previous access to the security feature. The control circuit causes the one-time programmable circuit to be programmed in response to the request if the control circuit determines that the one-time programmable circuit has not been programmed.
  • Various objects, features, and advantages of the present invention will become apparent upon consideration of the following detailed description and the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
    • Figure 1 illustrates an example of a security feature access system, according to an embodiment.
    • Figure 2 is a flow chart that shows examples of operations that may be performed to clear a security feature access register, according to an embodiment.
    • Figure 3 is a flow chart that illustrates examples of operations that may be performed to determine if an integrated circuit (IC) will allow a user to access a security feature, according to an embodiment.
    • Figure 4 is a flow chart that illustrates examples of operations that may be performed to determine if an IC will allow a user to access a security feature, according to another embodiment.
    • Figure 5 illustrates an example of another security feature access system, according to a further embodiment.
    • Figure 6 is a flow chart that illustrates examples of operations for determining if a programmable integrated circuit (IC) has been previously configured, according to an embodiment.
    • Figure 7 is a flow chart that illustrates examples of operations that determine if a programmable integrated circuit (IC) has been previously programmed, according to another embodiment.
    • Figure 8 is a flow chart that illustrates other examples of operations that determine if a programmable integrated circuit (IC) has been previously programmed, according to a further embodiment.
    DETAILED DESCRIPTION
  • Field programmable gate array (FPGA) integrated circuits (also referred to as devices) are often used in critical commercial, industrial, and military infrastructure; and therefore, they may be subject to attack by hostile adversaries. An attack may be intended to damage an FPGA device, to cause the device to fail prematurely due to life-time stress conditions, or to make a deployed device more susceptible to future attacks.
  • For example, the test mode of an FPGA device could be used to deliberately over-stress certain transistors in the FPGA device, making the transistors susceptible to premature negative bias temperature instability (NBTI) effects. These effects could be used to imprint static random access memory (RAM) or registers in the FPGA device, causing them to power-up to a known state that is favorable to an attacker.
  • Another form of an attack involves intercepting secrets that are stored in the FPGA, such as encryption keys. These secrets stored in the FPGA device may be protected by unique values in the FPGA device, such as unique values created by physically unclonable functions (PUPs). These values may need to be known by the end user of the FPGA before deploying the device, but the end user would want to prevent an attacker from extracting the secret before or after the FPGA is deployed, because an attacker might intercept the FPGA anywhere along its supply chain. Other forms of tampering may have less malicious motivation, but still need to be protected against. For example, the reselling of previously used (and thus partially stressed and worn-out) FPGA devices as new and fresh FPGA devices would also have the effect of causing the FPGA devices to unexpectedly fail prematurely in their second application.
  • According to some embodiments disclosed herein, a security feature of an integrated circuit (IC) is protected by a one-time programmable circuit. A control circuit may allow a user access to the security feature of the IC based on the state of the one-time programmable circuit. The control circuit may prevent a user from accessing the security feature of the IC based on the state of the one-time programmable circuit. The security feature may be, for example, an encryption key, a physically unclonable function (PUF), a secure storage area of the IC, a test mode of the IC, a configuration mode of an FPGA, or a user mode of an IC. The security feature may also be referred to as a secure feature.
  • In some embodiments, the control circuit may allow a user to access the security feature of the IC only until the next power on reset of the IC that occurs after the one-time programmable circuit has been programmed by setting a security feature access register. After the next power on reset of the IC, the IC clears the security feature access register to a cleared state. In response to the security feature access register being in a cleared state, the control circuit prevents a user from accessing the security feature of the IC. The security feature access register may, for example, remain in a cleared state indefinitely, or the security feature access register may be set again by another one-time programmable circuit. Figures 1-4 illustrate some examples of these embodiments.
  • Figure 1 illustrates an example of a security feature access system 100, according to an embodiment. The security feature access system 100 of Figure (FIG.) 1 includes a control circuit 101, a security feature access register circuit 102, a one-time programmable circuit 103, and a security feature 104. Security feature access system 100, including circuits 101-104, may be located entirely within an integrated circuit (IC). The IC may be, for example, an FPGA, a programmable logic device (PLD), a programmable logic array (PLA), a processor, a memory device, an analog device, or any other type of IC. Control circuit 101 may be, for example, a state machine, a processor circuit, a portion of a processor circuit, programmable logic circuits programmed to function as a controller, or another type of control circuit.
  • System 100 supports two-way communication between control circuit 101 and each of security feature access register 102, one-time programmable circuit 103, and security feature 104, as shown by arrows in FIG. 1. System 100 may also support two-way communication between one-time programmable circuit 103 and security feature 104 as shown in FIG. 1. Security feature access register 102 is a volatile storage circuit that may include, for example, one or more flip-flop circuits.
  • Security feature 104 may be, for example, a secure storage area of an IC, a test mode of an IC, a configuration mode of a programmable IC, a user mode of an IC, the programmable logic circuits of a programmable logic IC, an encryption key, a physically unclonable function (PUF), to name a few examples. A PUF is on-die circuitry that uses non-reproducible manufacturing variations of the IC die to produce a function that is a unique and unclonable function in every IC die. A PUF can be used to generate a challenge-response pair. The input to a PUF is the challenge, and the output of the PUF is the response. The challenge and the response may each be, for example, hundreds or thousands of bits. PUPs can be used to protect encryption keys. A secret PUF can be used to hide an encryption key, for example, by XORing the encryption key with the PUF response to generate an output key. The original encryption key can be extracted from the output key by XORing the output key with the PUF response. A PUF can also be used to generate an encryption key.
  • Security feature 104 may be any type of PUF. Two examples of PUFs are an arbiter PUF and a static-RAM PUF. An arbiter PUF is a PUF that uses the difference between the delays of two different signal paths in an IC die that is caused by manufacturing variations of an individual IC die. A static-RAM PUF is a PUF that is based on individual memory cells of an SRAM circuit in an IC powering up to random states.
  • A PUF may be a soft PUF or a hard PUF. Hard PUFs are implemented directly into the silicon of an IC. Soft PUFs are implemented by configuring programmable resources in an IC, such as lookup tables, registers, and memories. Both static RAM and arbiter PUFs can be implemented as hard PUFs or as soft PUFs using programmable resources in a programmable IC.
  • In an embodiment, security feature 104 may be, for example, the combination of a soft PUF implemented by programmable resources in a programmable IC and a configuration mode of the programmable IC. The combination of the soft PUF and the configuration mode as the security feature 104 protects against attacks on the soft PUF. In this embodiment, the state of one-time programmable circuit 103 indicates if the IC has ever been configured before a user first received the IC. If the one-time programmable circuit 103 indicates that the IC has been configured before by another user, it is possible that an attacker may have intercepted the IC, programmed the soft PUF into the programmable resources, and read the PUF response. If the one-time programmable circuit 103 indicates that the IC has not been configured before by another user, the user can be confident that the user has gained sole knowledge of the PUF response. The user can then use the PUF response to create or protect an encryption key that prevents future configurations of the IC by anyone who does not correctly enter the encryption key. For example, a user may program the one-time programmable circuit 103 to cause the IC to require the correct entry of a PUF protected or created encryption key before the IC enters configuration mode and user mode. This embodiment prevents an attacker from subsequently gaining access to the PUF response.
  • One-time programmable circuit 103 may include, for example, one or more non-volatile, one-time programmable fuses (also referred to herein simply as fuses) and/or one or more non-volatile, one-time programmable antifuses (also referred to herein simply as antifuses). Each one-time programmable fuse has a conductive path that conducts current before the fuse is blown. After the fuse is blown (i.e., programmed), the conductive path is broken, and the fuse conducts little or no current through the previously conductive path. Each fuse can be programmed/blown only one time. A one-time programmable fuse may include a resistor that burns out when an over current, over load, or mismatched load connect event occurs. Each one-time programmable antifuse initially has a high resistance path that conducts little or no current until the antifuse is programmed. After the antifuse is programmed, the antifuse has a low resistance conductive path that conducts significantly more current. Each antifuse can be programmed only one time.
  • Figure 2 is a flow chart that shows examples of operations that may be performed to clear a security feature access register, according to an embodiment. In the embodiment of FIG. 2, the security feature access register 102 is cleared after a power on reset operation of the integrated circuit (IC) that contains the security feature access register 102 and the security feature 104. In operation 201, the IC performs a power on reset operation. A power on reset operation may occur each time the IC receives power (i.e., is powered up) after being powered off. In operation 202, control circuit 101 clears the security feature access register 102. Control circuit 101 may clear the security feature access register 102 by causing the bit (or bits) stored in the security feature access register 102 to have a predefined clear value. The predefined clear value is a known value that may be, e.g., a logic low state, a logic high state, or a predefined set of bit values if register 102 stores multiple bits.
  • Figure 3 is a flow chart that illustrates examples of operations that may be performed to determine if an IC will allow a user to access a security feature, according to an embodiment. In the embodiment of FIG. 3, one-time programmable circuit 103 includes a one-time programmable disable circuit and a one-time programmable enable circuit. The one-time programmable disable and enable circuits of FIG. 3 can be fuses, antifuses, or any combination of one or more fuses and one or more antifuses. In the embodiment of FIG. 3, control circuit 101 allows a user of the IC to access the security feature 104 only if the one-time programmable disable circuit is not programmed, and the one-time programmable enable circuit is programmed. If both the one-time programmable disable and enable circuits are not programmed, control circuit 101 may optionally cause the one-time programmable enable circuit to be programmed automatically. The one-time programmable enable circuit may be used as a future indicator that the security feature 104 has been previously accessed. Granting access to security feature 104 may include setting the security feature access register 102 to a predefined access value, which will allow a user to access security feature 104 at least until the next power on reset event in the IC.
  • In operation 301, control circuit 101 receives a request to access the security feature 104. The request may be generated in response to input from a user of the IC requesting access to security feature 104. In operation 302, control circuit 101 determines if the bit (or bits) stored in the security feature access register 102 is set to the access value. The access value may be, e.g., the opposite logic state as the predefined clear value. If the bit (or bits) stored in the security feature access register 102 is set to the access value at operation 302, control circuit 101 grants the user access to security feature 104 in operation 308 as shown in FIG. 3.
  • If the bit (or bits) stored in the security feature access register 102 is not set to the access value at operation 302, control circuit 101 proceeds to operation 303. In operation 303, control circuit 101 determines if the one-time programmable disable circuit is programmed. If the one-time programmable disable circuit is programmed at operation 303, control circuit 101 asserts a failure signal in operation 309, and control circuit 101 prevents a user of the IC from accessing the security feature 104. A user interface may provide a message to the user in response to the failure signal generated in operation 309 to indicate that a failure has occurred and/or that the security feature 104 cannot be accessed. The control circuit 101 may cause the one-time programmable disable circuit to be programmed to prevent a user from accessing the security feature 104, for example, in response to user input or in response to a user accessing the security feature 104.
  • A one-time programmable circuit may prevent a user from accessing a security feature, for example, by physically blocking signal access to the security feature when the one-time programmable circuit is programmed. Signal access to security feature 104 may, for example, be routed through one-time programmable circuit 103, e.g., via a two-way communication path between circuits 103 and 104. When the one-time programmable disable circuit in circuit 103 is programmed, the output of the one-time programmable disable circuit may, for example, cause one or more logic gate circuits to block any signal access to security feature 104.
  • As another example, all accesses to security feature 104 may be routed through control circuit 101. In this example, control circuit 101 may prevent access to security feature 104 in response to detecting that the one-time programmable disable circuit is programmed. After the one-time programmable disable circuit is programmed, control circuit 101 blocks all accesses by a user of the IC to security feature 104.
  • If the one-time programmable disable circuit is not programmed at operation 303, control circuit 101 proceeds to operation 304. In operation 304, control circuit 101 determines if the one-time programmable enable circuit is programmed. If the one-time programmable enable circuit is programmed at operation 304, control circuit 101 grants the user access to security feature 104 in operation 308 as shown in FIG. 3. Control circuit 101 may also optionally indicate to the user that the security feature 104 has been previously accessed. If the one-time programmable enable circuit is not programmed at operation 304, control circuit 101 causes the one-time programmable enable circuit to be programmed in operation 305.
  • In operation 306, control circuit 101 again determines if the one-time programmable enable circuit is programmed. If control circuit 101 determines that the one-time programmable enable circuit is not programmed at operation 306, control circuit 101 asserts the failure signal in operation 309 as shown in FIG. 3 and prevents the user from accessing the security feature 104. If control circuit 101 determines that the one-time programmable enable circuit is programmed at operation 306, control circuit 101 sets the security feature access register 102 to the access value in operation 307. Control circuit 101 then grants the user access to the security feature 104 in operation 308 as shown in FIG. 3. Control circuit 101 allows the user to access the security feature 104 additional times by implementing additional iterations of operations 301-302 and 308 until the next power on reset of the IC. After the next power on reset of the IC, the security feature access register 102 is cleared to the clear value as disclosed herein with respect to FIG. 2.
  • According to some embodiments of the present invention, security in an IC is improved by disabling access to one or more security features of the IC, such as test mode, configuration of a programmable IC, user mode, or access to certain security areas, such as encryption keys or the output of hard or soft PUF circuitry, before or after one or more non-volatile, one-time programmable circuits are programmed. Control circuit 101 may detect if the one or more one-time programmable circuits have been previously programmed to deny or grant access to the security feature.
  • As discussed above, some previously known integrated circuits (ICs) have a test disable bit that can be set to disable access to a test mode. However, many manufacturers are unwilling to set this test disable bit for all customers, because doing so would prevent the failure analysis of any IC returned from the field. On the other hand, with these previously known ICs, if the manufacturer selectively sets the test disable bit for some customers, but sold some ICs without the test disable bit being set, users who received an IC that did not have the test disable bit set would be able to enter test mode, set the test disable bit, and subsequently reintroduce the IC into the supply chain. Users who care about the security of their ICs would not be able to distinguish these tampered ICs from ICs that were not tampered with. Manufacturers may have similar problems in controlling access to other security features of their ICs.
  • According to an exemplary embodiment, control circuit 101 of FIG. 1 prevents undetected access to a test mode of an IC. In this exemplary embodiment, access to the test mode by a user of the IC is controlled based on the states of two one-time programmable enable circuits and two one-time programmable disable circuits. This embodiment may, for example, be implemented by two iterations of the operations shown in FIG. 3. In this embodiment, access to the features of the test mode by a user of the IC is prevented until the first one-time programmable enable circuit is programmed, e.g., in the first iteration of operation 305. Access to the test mode can be temporarily disabled by programming the first one-time programmable disable circuit. Control circuit 101 prevents the user from accessing test mode if the first or second one-time programmable disable circuit is programmed, as disclosed with respect to operations 303 and 309. Access to the test mode of the IC by a user can then be re-enabled by programming the second one-time programmable enable circuit, e.g., in the second iteration of operation 305 after a power on reset of the IC. Access to the test mode of the IC by a user can then be permanently prevented by programming the second one-time programmable disable circuit. If the second one-time programmable enable circuit is not programmed when the second one-time programmable disable circuit is programmed, the second one-time programmable enable circuit cannot be programmed after the second one-time programmable disable circuit is programmed.
  • The original states of the one-time programmable circuits (as of the time the IC is powered-on) are made accessible to designs implemented by the IC (e.g., designs programmed into an FPGA) and to users of the IC (e.g., through JTAG ports). The manufacturer responsible for functionality tests of the IC is then able to detect if an IC has been intercepted and if the test mode of the IC has been accessed anywhere along the prior supply chain by checking if the first one-time programmable enable circuit was previously programmed by someone other than the functionality tester. The manufacturer may then respond appropriately (e.g., by marking or destroying the IC). After the IC has been tested, the manufacturer programs the first one-time programmable disable circuit and reintroduces the IC into the supply or sales chain. When a user receives the IC from the supply chain, the user (or the user's design that is programmed into the FPGA) can check that the first one-time programmable disable circuit is programmed, and that the second one-time programmable enable circuit is not programmed. If the second one-time programmable enable circuit has been programmed, the user is then able to detect that the test mode of the IC has been accessed somewhere along the supply chain after having left the functionality testing facility of the manufacturer. The user can then respond appropriately (e.g., return the device to the manufacturer). If the user so chooses, and does not want the ability to return the IC to the manufacturer for possible future failure analysis, the user can program the second one-time programmable disable circuit to permanently disable the test mode of the IC.
  • Other security-related features can be implemented in a similar manner. For example, separate PUF access enable and disable one-time programmable circuits may allow access to a response generated by a PUF in an IC in response to a challenge input. The PUF access enable and disable one-time programmable circuits control secure access to an encryption key generated from a PUF response. As another example, separate configuration enable and disable one-time programmable circuits for a programmable IC may allow access to user configuration of the IC. The configuration enable/disable one-time programmable circuits ensure that a user of the programmable IC is receiving a new IC, as opposed to a "grey market" IC that had been previously used.
  • Figure 4 is a flow chart that illustrates examples of operations that may be performed to determine if an IC will allow a user to access a security feature, according to another embodiment. In the embodiment of FIG. 4, one-time programmable circuit 103 can include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses. In the embodiment of FIG. 4, granting access to security feature 104 includes setting the security feature access register 102 to a predefined access value to allow a user to access security feature 104 at least until the next power on reset event in the IC. The one-time programmable circuit 103 being programmed is an indicator that the security feature 104 has been previously accessed.
  • In operation 401, control circuit 101 receives a request to access the security feature 104. The request may be generated in response to input from a user requesting access to security feature 104. In operation 402, control circuit 101 determines if the bit (or bits) stored in the security feature access register 102 is set to the access value. If the bit (or bits) stored in the security feature access register 102 is set to the access value at operation 402, control circuit 101 grants the user access to security feature 104 in operation 407 as shown in FIG. 4.
  • If the bit (or bits) stored in the security feature access register 102 is not set to the access value at operation 402, control circuit 101 proceeds to operation 403. In operation 403, control circuit 101 determines if the one-time programmable circuit 103 is programmed. If the one-time programmable circuit 103 is programmed at operation 403, control circuit 101 asserts a failure signal in operation 408 and prevents the user from accessing the security feature 104. A user interface may provide a message to the user in response to the failure signal to indicate that a failure has occurred and/or that the security feature 104 cannot be accessed. Control circuit 101 may cause the one-time programmable circuit 103 to be programmed to prevent a user from accessing the security feature 104 after the next power on reset of the IC, for example, in response to a user accessing the security feature 104.
  • If the one-time programmable circuit 103 is not programmed at operation 403, control circuit 101 proceeds to operation 404. In operation 404, control circuit 101 causes the one-time programmable circuit 103 to be programmed. In operation 405, control circuit 101 again determines if the one-time programmable circuit 103 is programmed. If control circuit 101 determines that the one-time programmable circuit 103 is not programmed at operation 405, control circuit 101 asserts the failure signal in operation 408 as shown in FIG. 4 and prevents the user from accessing the security feature 104.
  • If control circuit 101 determines that the one-time programmable circuit 103 is programmed at operation 405, control circuit 101 sets the security feature access register 102 to the access value in operation 406. Control circuit 101 then grants the user access to the security feature 104 in operation 407 as shown in FIG. 4. Control circuit 101 grants the user additional accesses to the security feature 104 by implementing additional iterations of operations 401-402 and 407 until the next power on reset of the IC. After the next power on reset of the IC, the security feature access register 102 is cleared to the clear value as disclosed herein with respect to FIG. 2, and then the control circuit 101 does not allow any user of the IC any additional accesses to the security feature 104.
  • Figure 5 illustrates an example of a security feature access system 500, according to another embodiment. The security feature access system 500 of FIG. 5 includes a configuration control circuit 501, a one-time programmable circuit 502, and programmable logic and routing circuits 503. Security feature access system 500, including circuits 501-503, may be located entirely within a programmable integrated circuit (IC). The IC may be, for example, an FPGA, a PLD, a PLA, or another type of programmable IC. Programmable logic and routing circuits 503 are programmable resources of a programmable IC. Configuration control circuit 501 may be, for example, a state machine, a processor circuit, a portion of a processor circuit, or another type of control circuit. System 500 supports two-way communication between control circuit 501 and each of one-time programmable circuit 502 and programmable logic and routing circuits 503, as shown by arrows in FIG. 5. One-time programmable circuit 502 can include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses. The programmable logic and routing circuits 503 may include an array of programmable logic circuits and programmable routing circuits (e.g., multiplexers) that controls a network of routing conductors to interconnect the programmable logic circuits.
  • In the embodiment of Figure 5, the security feature protected by the one-time programmable circuit 502 is a configuration mode of the programmable IC, and thus access to the programmable logic and programmable routing circuits 503 of the IC. One-time programmable circuit 502 is used to control access to the configuration mode of the programmable IC. During the configuration mode, programmable logic and programmable routing circuits 503 in the programmable IC are configured with a configuration bitstream that is loaded into the IC from an external source. The programmable IC is configured with the configuration bitstream during the configuration mode to implement a user design for the IC. Configuration control circuit 501 controls access to the configuration mode of the IC. Thus, the configuration control circuit 501 also controls user access to the programmable logic and programmable routing circuits 503. Configuration control circuit 501 may allow a user to cause the programmable IC to enter configuration mode to configure the programmable IC if the one-time programmable circuit 502 is programmed. The control circuit 501 may prevent the programmable IC from entering configuration mode if the one-time programmable circuit 502 is not programmed. Figures 6-8 illustrate operations that may be performed using system 500 according to various embodiments.
  • Figure 6 is a flow chart that illustrates examples of operations for determining if a programmable integrated circuit (IC) has been previously configured, according to an embodiment. FIG. 6 shows the supply chain flow when a user first receives an ostensibly new programmable IC from a distributer. The operations of FIG. 6 allow a user to determine if the programmable resources of the programmable IC have ever been configured before by checking the state of the one-time programmable circuit 502. The programmable resources of the programmable IC may be configured in a configuration mode and then subsequently utilized in a user mode. If the programmable IC has already been configured, the user may return the IC to the manufacturer and mark the IC as used, or discard the IC. If the IC has not been configured previously, the user may optionally program the one-time programmable circuit 502 and proceed with configuring the IC. The one-time programmable circuit 502 is not programmed when the manufacturer powers up the IC into a test mode. The programmable IC as discussed with respect to FIGS. 6-8 may be, for example, an FPGA, a PLD, a PLA, or even an application specific integrated circuit (ASIC) that has some programmable features.
  • In FIGS. 6-8, the security feature may, as an example, include the combination of a soft PUF implemented by the programmable resources and a configuration or user mode of the programmable IC. The combination of the soft PUF and the configuration/user mode as the security feature protects against attacks on the soft PUF, as described above. The state of one-time programmable circuit 502 indicates if the IC has ever been configured before a user first receives the IC.
  • After a user receives a programmable IC from a distributer, the user powers up the programmable IC. In operation 601, an attempt is made to access configuration mode or user mode after the programmable IC has powered up, as shown in FIG. 6. The attempt to access the configuration mode or user mode in operation 601 may occur in response to user input, or the programmable IC may automatically attempt to enter configuration mode or user mode after the IC powers up. In operation 602, the configuration control circuit 501 determines if the one-time programmable circuit 502 (e.g., that has a fuse and/or an antifuse) is programmed in response to the attempt in operation 601. If the configuration control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 602, then the control circuit 501 may assert an error signal in operation 603. A user interface may indicate to the user that the programmable IC has already been configured in response to the error signal that is asserted in operation 603. The user may then optionally decide to return the programmable IC, discard the programmable IC, or continue with configuring the programmable IC.
  • If the configuration control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 602, the user of the IC may optionally decide to program circuit 502 in operation 604. If the user decides to program circuit 502 after operation 602, the user may enter input into a user interface, and then in response to the user input, a control signal is sent to the control circuit 501. In response to receiving this control signal, control circuit 501 causes the one-time programmable circuit 502 to be programmed (e.g., blow a fuse) in operation 604. Control circuit 501 then proceeds to operation 605. In operation 605, control circuit 501 asserts a signal to indicate that the user may add the programmable IC to the user's inventory. The user interface may display a message to the user in response to the signal asserted in operation 605. The message may indicate that the user can add the programmable IC to the user's inventory.
  • Figure 7 is a flow chart that illustrates operations that determine if a programmable integrated circuit (IC) has been previously programmed, according to an embodiment. Control circuit 501 checks if the programmable resources of the programmable IC have ever been previously configured by a user whenever an attempt is made to configure the programmable IC. The programmable IC cannot be configured until the one-time programmable circuit 502 is programmed. Therefore, the one-time programmable circuit 502 being in a programmed state indicates that the programmable IC has been previously configured. The operations of FIG. 7 may occur after operation 604 of FIG. 6. In the embodiments of FIGS. 6-7, one-time programmable circuit 502 may include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • In operation 701, the programmable IC receives a request from the user to configure the programmable IC and/or to enter the configuration mode. The request is routed to the configuration control circuit 501. In operation 702, the configuration control circuit 501 determines if the one-time programmable circuit 502 is programmed in response to receiving the request in operation 701. If the configuration control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 702, then the control circuit 501 asserts an error signal in operation 704. The error signal generated in operation 704 indicates that circuit 502 is not programmed.
  • In response to the error signal generated in operation 704, a user interface may indicate to the user that circuit 502 is not programmed and that circuit 502 must be programmed in order to proceed to the configuration mode of the IC. The user interface may display to the user an option to program circuit 502 in response to the error signal generated in operation 704. If the user chooses the option to program circuit 502, control circuit 501 causes circuit 502 to be programmed, and then circuit 501 repeats operation 702. If the user does not choose the option to program circuit 502, control circuit 501 may prevent the programmable IC from entering configuration mode and user mode. The programmable IC can only be configured with a user's design in the configuration mode. Therefore, preventing the programmable IC from entering the configuration mode prevents a user from configuring the programmable IC.
  • Alternatively, control circuit 501 may automatically cause one-time programmable circuit 502 to be programmed in response to determining that circuit 502 is not programmed in operation 702. Control circuit 501 then repeats operation 702 to confirm that one-time programmable circuit 502 is programmed.
  • If the configuration control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 702, then the control circuit 501 proceeds to operation 703. In operation 703, control circuit 501 allows the programmable IC to enter configuration mode. During configuration mode, the programmable IC is configured to implement the user's design. Configuration control circuit 501 may also control the configuration of the programmable IC during or after operation 703.
  • After the programmable IC has been configured in the configuration mode, the programmable IC can enter a user mode during which the user's design that has been configured into the IC is used for its intended purpose. In an embodiment, the IC does not allow the user to enter user mode until the IC has been configured with a user design in the configuration mode. Thus, in this embodiment, the state of the one-time programmable circuit 502 also indicates whether the IC has ever entered the user mode.
  • Figure 8 is a flow chart that illustrates examples of operations that determine if a programmable integrated circuit (IC) has been previously configured, according to an embodiment. Control circuit 501 checks if the one-time programmable circuit 502 is programmed when an attempt is made to configure the programmable IC. If the one-time programmable circuit 502 is not programmed, then control circuit 501 automatically programs circuit 502. The programmable IC cannot be configured until the one-time programmable circuit 502 is programmed. Therefore, the one-time programmable circuit 502 being in a programmed state indicates that the programmable IC has been previously configured. The operations of FIG. 8 may occur after operation 604 of FIG. 6. In the embodiment of FIG. 8, one-time programmable circuit 502 may include one or more fuses, one or more antifuses, or a combination of one or more fuses and one or more antifuses.
  • Referring to FIG. 8, the programmable IC receives a request from the user to configure the programmable IC in operation 801. The request is routed to the configuration control circuit 501. In operation 802, the configuration control circuit 501 determines if the one-time programmable circuit 502 is programmed in response to receiving the request in operation 801. If the configuration control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 802, then the control circuit 501 allows the programmable IC to enter configuration mode in operation 805. During configuration mode, the programmable IC is configured to implement the user's design. Configuration control circuit 501 may also control the configuration of the programmable IC in configuration mode during or after operation 805.
  • If the configuration control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 802, then the control circuit 501 proceeds to operation 803. In operation 803, control circuit 501 causes the one-time programmable circuit 502 to be programmed. The control circuit 501 then proceeds to operation 804. In operation 804, the control circuit 501 determines if the one-time programmable circuit 502 is programmed. If the control circuit 501 determines that the one-time programmable circuit 502 is programmed in operation 804, then the control circuit 501 allows the programmable IC to enter configuration mode in operation 805.
  • If the control circuit 501 determines that the one-time programmable circuit 502 is not programmed in operation 804, then the control circuit 501 asserts an error signal in operation 806. In response to the error signal asserted in operation 806, a user interface may indicate to the user that an error has occurred in attempting to program the one-time programmable circuit 502. The control circuit 501 may then prevent the programmable IC from entering configuration mode and user mode.
  • The methods and apparatuses described herein may be incorporated into any suitable electronic device or system of electronic devices. For example, the methods and apparatuses may be incorporated into numerous types of integrated circuits, such as programmable array logic (PAL), programmable logic arrays (PLAs), field programmable logic arrays (FPLAs), electrically programmable logic devices (EPLDs), electrically erasable programmable logic devices (EEPLDs), logic cell arrays (LCAs), field programmable gate arrays (FPGAs), application specific standard products (ASSPs), application specific integrated circuits (ASICs), digital signal processors (DSPs), microprocessors, and graphics processing units (GPUs).
  • The integrated circuits described herein may be part of a data processing system that includes one or more of the following components; a processor; memory; input/output circuitry; and peripheral devices. The integrated circuits can be used in a wide variety of applications, such as computer networking, data networking, instrumentation, video processing, digital signal processing, or any suitable other application.
  • Although the method operations were described in a specific order, it should be understood that other operations may be performed in between described operations, described operations may be adjusted so that they occur at slightly different times or in a different order, or described operations may be distributed in a system that allows the occurrence of the processing operations at various intervals associated with the processing.

Claims (12)

  1. An integrated circuit comprising:
    a control circuit (101, 501);
    a one-time programmable circuit (103, 502) comprising a one-time programmable disable circuit and a one-time programmable enable circuit; and
    a security feature (104), wherein the control circuit (101, 501) determines if the one-time programmable disable circuit and the one-time programmable enable circuit are programmed in response to a request by a user of the integrated circuit to access the security feature (104), the control circuit (101, 501) causes the one-time programmable enable circuit to be programmed in response to the request to access the security feature (104), and the control circuit (101, 501) generates a signal to indicate to the user of the integrated circuit that the security feature (104) has been previously accessed if the control circuit (101, 501) determines that the one-time programmable enable circuit has been programmed,
    wherein the control circuit (101, 501) causes the one-time programmable enable circuit to be programmed in response to the request if the control circuit (101, 501) determines that the one-time programmable enable circuit has not been programmed, and
    wherein the control circuit (101, 501) prevents a user of the integrated circuit from accessing the security feature (104) if the control circuit (101, 501) determines that the one-time programmable disable circuit has been programmed.
  2. The integrated circuit of claim 1, wherein the security feature (104) is at least one of circuitry that implements a physically unclonable function in the integrated circuit, a storage circuit in the integrated circuit that stores secure information, programmable logic circuits in the integrated circuit, or programmable routing circuits in the integrated circuit.
  3. The integrated circuit of claim 1, wherein the security feature (104) is at least one of a configuration mode of the integrated circuit, a test mode of the integrated circuit, an encryption key, or secure data stored in the integrated circuit.
  4. The integrated circuit of claim 1, wherein the one-time programmable circuit (103, 502) comprises at least one fuse, at least one antifuse, or any combination of fuses and antifuses.
  5. The integrated circuit of claim 1 further comprising:
    a security feature access register (102), wherein the control circuit (101, 501) causes an access value to be stored in the security feature access register (102) after causing the one-time programmable enable circuit to be programmed, and wherein the control circuit (101, 501) only allows a user of the integrated circuit to access the security feature (104) when the security feature access register (102) is set to the access value.
  6. The integrated circuit of claim 5, wherein the control circuit (101, 501) clears the security feature access register (102) to a clear value in response to the integrated circuit being powered up after being powered off.
  7. The integrated circuit of claim 1, wherein the control circuit (101, 501) allows a user of the integrated circuit to access the security feature (104) after programming the one-time programmable circuit (103, 502) and before a next power on reset of the integrated circuit.
  8. A method for protecting security features of an integrated circuit comprising a control circuit (101, 501) and a one-time programmable circuit (103, 502) comprising a one-time programmable disable circuit and a one-time programmable enable circuit, the method comprising:
    determining if the one-time programmable disable circuit and the one-time programmable enable circuit are programmed using the control circuit (101, 501) in response to a request by a user of the integrated circuit to access a security feature (104);
    causing the one-time programmable enable circuit to be programmed in response to the request to access the security feature (104);
    generating a signal to indicate to the user of the integrated circuit that the security feature (104) has been previously accessed if the control circuit (101, 501) determines that the one-time programmable enable circuit has been programmed;
    causing the one-time programmable enable circuit to be programmed in response to the request if the control circuit (101, 501) determines that the one-time programmable enable circuit has not been programmed; and
    preventing a user of the integrated circuit from accessing the security feature (104) if the control circuit (101,501) determines that the one-time programmable disable circuit has been programmed.
  9. The method of claim 8, wherein the security feature (104) is at least one of circuitry that implements a physically unclonable function in the integrated circuit, a storage circuit in the integrated circuit that stores secure information, programmable logic circuits in the integrated circuit, programmable routing circuits in the integrated circuit, a configuration mode of the integrated circuit, a test mode of the integrated circuit, an encryption key, or secure data stored in the integrated circuit.
  10. The method of claim 8, wherein the one-time programmable circuit (103, 502) comprises at least one fuse, at least one antifuse, or a combination of at least one fuse and at least one antifuse.
  11. The method of claim 8 further comprising:
    preventing a user of the integrated circuit from accessing the security feature (104) if the control circuit (101, 501) determines that the one-time programmable disable circuit has been previously programmed by another user.
  12. The method of claim 8 further comprising:
    with the control circuit (101, 501), causing an access value to be stored in a security feature access register (102) after the control circuit (101, 501) causes the one-time programmable enable circuit to be programmed;
    with the control circuit (101, 501), allowing a user of the integrated circuit to access the security feature (104) only when the security feature access register (102) is set to the access value; and
    with the control circuit (101, 501), clearing the security feature access register (102) to a clear value in response to the integrated circuit being powered up after being powered off.
EP17760462.6A 2016-03-04 2017-02-10 Techniques for protecting security features of integrated circuits Active EP3423985B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/061,622 US10095889B2 (en) 2016-03-04 2016-03-04 Techniques for protecting security features of integrated circuits
PCT/US2017/017507 WO2017151294A1 (en) 2016-03-04 2017-02-10 Techniques for protecting security features of integrated circuits

Publications (3)

Publication Number Publication Date
EP3423985A1 EP3423985A1 (en) 2019-01-09
EP3423985A4 EP3423985A4 (en) 2019-10-30
EP3423985B1 true EP3423985B1 (en) 2023-08-23

Family

ID=59722956

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17760462.6A Active EP3423985B1 (en) 2016-03-04 2017-02-10 Techniques for protecting security features of integrated circuits

Country Status (4)

Country Link
US (2) US10095889B2 (en)
EP (1) EP3423985B1 (en)
CN (1) CN108604282B (en)
WO (1) WO2017151294A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10318431B2 (en) * 2015-09-17 2019-06-11 Hewlett Packard Enterprise Development Lp Obscuration of a cache signal
US10095889B2 (en) * 2016-03-04 2018-10-09 Altera Corporation Techniques for protecting security features of integrated circuits
ES2957712T3 (en) * 2016-04-07 2024-01-24 Nagravision Sarl Flexible cryptographic device
US10511451B2 (en) * 2016-11-04 2019-12-17 Taiwan Semiconductor Manufacturing Company Ltd. Physically unclonable function (PUF) device and method of extending challenge/response pairs in a PUF device
KR102518881B1 (en) * 2017-01-09 2023-04-05 삼성전자주식회사 Method for operating semiconductor device
JP6882678B2 (en) * 2017-06-30 2021-06-02 富士通株式会社 Collision detection system and collision detection method
US10819528B2 (en) 2017-07-18 2020-10-27 Square, Inc. Device security with physically unclonable functions
US10263793B2 (en) * 2017-07-18 2019-04-16 Square, Inc. Devices with modifiable physically unclonable functions
US10438190B2 (en) 2017-07-18 2019-10-08 Square, Inc. Devices with on-board physically unclonable functions
US10623192B2 (en) * 2017-08-25 2020-04-14 Synopsys, Inc. Gate oxide breakdown in OTP memory cells for physical unclonable function (PUF) security
US11151290B2 (en) * 2018-09-17 2021-10-19 Analog Devices, Inc. Tamper-resistant component networks
US11636907B2 (en) * 2020-06-30 2023-04-25 Nuvoton Technology Corporation Integrity verification of lifecycle-state memory using multi-threshold supply voltage detection
US11380622B2 (en) 2020-11-20 2022-07-05 Globalfoundries U.S. Inc. Method and related structure to authenticate integrated circuit with authentication film
US11469178B2 (en) 2020-12-18 2022-10-11 Globalfoundries U.S. Inc. Metal-free fuse structures
TWI753761B (en) * 2021-01-27 2022-01-21 慧榮科技股份有限公司 Memory device startup information reconstruction method and system thereof
EP4047587A1 (en) * 2021-02-22 2022-08-24 HENSOLDT Sensors GmbH Chip device and method for a randomized logic encryption
US11901304B2 (en) 2021-05-18 2024-02-13 Globalfoundries U.S. Inc. Integrated circuit structure with fluorescent material, and related methods

Family Cites Families (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5264742A (en) * 1990-01-09 1993-11-23 Sgs-Thomson Microelectronics, S.A. Security locks for integrated circuit
US5452355A (en) 1994-02-02 1995-09-19 Vlsi Technology, Inc. Tamper protection cell
US5394367A (en) * 1994-03-18 1995-02-28 Ramtron International Corporation System and method for write-protecting predetermined portions of a memory array
GB2331821A (en) * 1997-11-27 1999-06-02 Northern Telecom Ltd Electronic sealed envelope
US6690193B1 (en) * 2002-08-26 2004-02-10 Analog Devices, Inc. One-time end-user-programmable fuse array circuit and method
US8379861B2 (en) 2004-11-22 2013-02-19 Freescale Semiconductor, Inc. Integrated circuit and a method for secure testing
US7606362B1 (en) 2005-01-25 2009-10-20 Altera Corporation FPGA configuration bitstream encryption using modified key
JP2009505205A (en) * 2005-08-10 2009-02-05 エヌエックスピー ビー ヴィ Testing integrated circuits containing confidential information
US7567449B2 (en) 2006-10-27 2009-07-28 Xilinx, Inc. One-time-programmable logic bit with multiple logic elements
WO2008077240A1 (en) * 2006-12-22 2008-07-03 Sidense Corp. Mask programmable anti-fuse architecture
US7778074B2 (en) 2007-03-23 2010-08-17 Sigmatel, Inc. System and method to control one time programmable memory
US8347111B2 (en) * 2009-01-06 2013-01-01 Hewlett-Packard Development Company, L.P. Data processing apparatus
KR101061313B1 (en) * 2010-01-28 2011-08-31 주식회사 하이닉스반도체 Semiconductor memory device including security control device
JP5576557B2 (en) * 2011-03-31 2014-08-20 ルネサスエレクトロニクス株式会社 Processor system and control method thereof
JP5889691B2 (en) * 2012-03-28 2016-03-22 株式会社Screenホールディングス Substrate processing apparatus and substrate processing method
US8925098B2 (en) * 2012-11-15 2014-12-30 Elwha Llc Data security and access tracking in memory
US8885819B2 (en) 2012-12-27 2014-11-11 Intel Corporation Fuse attestation to secure the provisioning of secret keys during integrated circuit manufacturing
US9262259B2 (en) * 2013-01-14 2016-02-16 Qualcomm Incorporated One-time programmable integrated circuit security
US9716708B2 (en) 2013-09-13 2017-07-25 Microsoft Technology Licensing, Llc Security certificates for system-on-chip security
US9628086B2 (en) * 2013-11-14 2017-04-18 Case Western Reserve University Nanoelectromechanical antifuse and related systems
US20150143130A1 (en) * 2013-11-18 2015-05-21 Vixs Systems Inc. Integrated circuit provisioning using physical unclonable function
KR20160022097A (en) 2014-08-19 2016-02-29 삼성전자주식회사 Semiconductor memory device and memory module having reconfiguration rejecting function
US9830108B2 (en) * 2015-10-12 2017-11-28 Sandisk Technologies Llc Write redirect
US10095889B2 (en) * 2016-03-04 2018-10-09 Altera Corporation Techniques for protecting security features of integrated circuits

Also Published As

Publication number Publication date
CN108604282A (en) 2018-09-28
EP3423985A4 (en) 2019-10-30
US20170257222A1 (en) 2017-09-07
US10095889B2 (en) 2018-10-09
US20190026497A1 (en) 2019-01-24
CN108604282B (en) 2022-04-15
WO2017151294A1 (en) 2017-09-08
EP3423985A1 (en) 2019-01-09
US10657291B2 (en) 2020-05-19

Similar Documents

Publication Publication Date Title
EP3423985B1 (en) Techniques for protecting security features of integrated circuits
US7761714B2 (en) Integrated circuit and method for preventing an unauthorized access to a digital value
US9941880B1 (en) Secure voltage regulator
TWI483139B (en) Secure key storage using physically unclonable functions
US7550324B1 (en) Interface port for electrically programmed fuses in a programmable logic device
US8885819B2 (en) Fuse attestation to secure the provisioning of secret keys during integrated circuit manufacturing
EP3949333A1 (en) Verifying identity of a vehicle entering a trust zone
US9870488B1 (en) Method and apparatus for securing programming data of a programmable device
EP2702526B1 (en) Method and apparatus for securing programming data of a programmable device
US7906983B2 (en) Programmable logic device having an embedded test logic with secure access control
Pierce et al. Enhanced secure architecture for joint action test group systems
Trimberger et al. FPGA security: From features to capabilities to trusted systems
US11411749B2 (en) System and method for performing netlist obfuscation for a semiconductor device
Sumathi et al. A review on HT attacks in PLD and ASIC designs with potential defence solutions
TWI783531B (en) Method performed by a system-on-chip integrated circuit device and a computer apparatus
US7987358B1 (en) Methods of authenticating a user design in a programmable integrated circuit
US8863230B1 (en) Methods of authenticating a programmable integrated circuit in combination with a non-volatile memory device
Kumar et al. A novel holistic security framework for in-field firmware updates
Peterson Developing tamper-resistant designs with ultrascale and ultrascale+ FPGAs
US7299390B1 (en) Apparatus and method for encrypting security sensitive data
CN112470158A (en) Fault characterization system and method for programmable logic device
Perumalla et al. Memometer: Memory PUF-Based Hardware Metering Methodology for FPGAs
Zamiri Azar et al. Infrastructure Supporting Logic Locking
Perumalla Memometer: Strong PUF-Based Passive Memory Hardware Metering Methodology for Integrated Circuits
GB2605168A (en) An integrated circuit having a secure area

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180731

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20190930

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/14 20060101ALI20190924BHEP

Ipc: G06F 21/71 20130101ALI20190924BHEP

Ipc: G06F 21/76 20130101AFI20190924BHEP

Ipc: G06F 21/62 20130101ALI20190924BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20211026

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602017073107

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: G06F0021760000

Ipc: G09C0001000000

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: G06F0021760000

Ipc: G09C0001000000

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/32 20060101ALI20230224BHEP

Ipc: H04L 9/08 20060101ALI20230224BHEP

Ipc: G06F 21/71 20130101ALI20230224BHEP

Ipc: G06F 21/62 20130101ALI20230224BHEP

Ipc: G09C 1/00 20060101AFI20230224BHEP

INTG Intention to grant announced

Effective date: 20230321

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602017073107

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230921

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1603541

Country of ref document: AT

Kind code of ref document: T

Effective date: 20230823

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231124

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231207

Year of fee payment: 8

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231223

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231226

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231123

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231223

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231124

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20231215

Year of fee payment: 8

Ref country code: FR

Payment date: 20231212

Year of fee payment: 8

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20231128

Year of fee payment: 8

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602017073107

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20240524

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230823

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20240210